Azure Monitor Agent overview
Azure Monitor Agent (AMA) collects monitoring data from the guest operating system of Azure and hybrid virtual machines and delivers it to Azure Monitor for use by features, insights, and other services, such as Microsoft Sentinel and Microsoft Defender for Cloud. Azure Monitor Agent replaces all of Azure Monitor's legacy monitoring agents. This article provides an overview of Azure Monitor Agent's capabilities and supported use cases.
Here's a short introduction to Azure Monitor agent video, which includes a quick demo of how to set up the agent from the Azure portal: ITOps Talk: Azure Monitor Agent
Benefits
Using Azure Monitor agent, you get immediate benefits as shown below:
- Cost savings by using data collection rules:
- Enables targeted and granular data collection for a machine or subset(s) of machines, as compared to the "all or nothing" approach of legacy agents.
- Allows filtering rules and data transformations to reduce the overall data volume being uploaded, thus lowering ingestion and storage costs significantly.
- Simpler management including efficient troubleshooting:
- Supports data uploads to multiple destinations (multiple Log Analytics workspaces, i.e. multihoming on Windows and Linux) including cross-region and cross-tenant data collection (using Azure LightHouse).
- Centralized agent configuration "in the cloud" for enterprise scale throughout the data collection lifecycle, from onboarding to deployment to updates and changes over time.
- Any change in configuration is rolled out to all agents automatically, without requiring a client side deployment.
- Greater transparency and control of more capabilities and services, such as Microsoft Sentinel, Defender for Cloud, and VM Insights.
- Security and Performance
- Enhanced security through Managed Identity and Microsoft Entra tokens (for clients).
- Higher event throughput that is 25% better than the legacy Log Analytics (MMA/OMS) agents.
- A single agent that serves all data collection needs across supported servers and client devices. A single agent is the goal, although Azure Monitor Agent is currently converging with the Log Analytics agents.
Consolidating legacy agents
Deploy Azure Monitor Agent on all new virtual machines, scale sets, and on-premises servers to collect data for supported services and features.
If you have machines already deployed with legacy Log Analytics agents, we recommend you migrate to Azure Monitor Agent as soon as possible. The legacy Log Analytics agent will not be supported after August 2024.
Azure Monitor Agent replaces the Azure Monitor legacy monitoring agents:
- Log Analytics Agent: Sends data to a Log Analytics workspace and supports monitoring solutions. This is fully consolidated into Azure Monitor agent.
- Telegraf agent: Sends data to Azure Monitor Metrics (Linux only). Only basic Telegraf plugins are supported today in Azure Monitor agent.
- Diagnostics extension: Sends data to Azure Monitor Metrics (Windows only), Azure Event Hubs, and Azure Storage. This is not consolidated yet.
Install the agent and configure data collection
Azure Monitor Agent uses data collection rules, where you define which data you want each agent to collect. Data collection rules let you manage data collection settings at scale and define unique, scoped configurations for subsets of machines. You can define a rule to send data from multiple machines to multiple destinations across regions and tenants.
Note
To send data across tenants, you must first enable Azure Lighthouse.
To collect data using Azure Monitor Agent:
Install the agent on the resource.
Resource type Installation method More information Virtual machines, scale sets Virtual machine extension Installs the agent by using Azure extension framework. On-premises servers (Azure Arc-enabled servers) Virtual machine extension (after installing the Azure Arc agent) Installs the agent by using Azure extension framework, provided for on-premises by first installing Azure Arc agent. Windows 10, 11 desktops, workstations Client installer Installs the agent by using a Windows MSI installer. Windows 10, 11 laptops Client installer Installs the agent by using a Windows MSI installer. The installer works on laptops, but the agent isn't optimized yet for battery or network consumption. Define a data collection rule and associate the resource to the rule.
The table below lists the types of data you can currently collect with the Azure Monitor Agent and where you can send that data.
Data source Destinations Description Performance Azure Monitor Metrics (Public preview)1 - Insights.virtualmachine namespace
Log Analytics workspace - Perf tableNumerical values measuring performance of different aspects of operating system and workloads Windows event logs (including sysmon events) Log Analytics workspace - Event table Information sent to the Windows event logging system Syslog Log Analytics workspace - Syslog2 table Information sent to the Linux event logging system. Collect syslog with Azure Monitor Agent Text logs and Windows IIS logs Log Analytics workspace - custom table(s) created manually Collect text logs with Azure Monitor Agent 1 On Linux, using Azure Monitor Metrics as the only destination is supported in v1.10.9.0 or higher.
2 Azure Monitor Linux Agent versions 1.15.2 and higher support syslog RFC formats including Cisco Meraki, Cisco ASA, Cisco FTD, Sophos XG, Juniper Networks, Corelight Zeek, CipherTrust, NXLog, McAfee, and Common Event Format (CEF).Note
On rsyslog-based systems, Azure Monitor Linux Agent adds forwarding rules to the default ruleset defined in the rsyslog configuration. If multiple rulesets are used, inputs bound to non-default ruleset(s) are not forwarded to Azure Monitor Agent. For more information about multiple rulesets in rsyslog, see the official documentation.
Note
Azure Monitor Agent also supports Azure service SQL Best Practices Assessment which is currently Generally available. For more information, refer Configure best practices assessment using Azure Monitor Agent.
Supported services and features
For a list of features and services that use Azure Monitor Agent for data collection, see Migrate to Azure Monitor Agent from Log Analytics agent.
Supported regions
Azure Monitor Agent is available in all public regions, Azure Government and China clouds, for generally available features. It's not yet supported in air-gapped clouds. For more information, see Product availability by region.
Costs
There's no cost for the Azure Monitor Agent, but you might incur charges for the data ingested and stored. For information on Log Analytics data collection and retention and for customer metrics, see Azure Monitor pricing.
Compare to legacy agents
The tables below provide a comparison of Azure Monitor Agent with the legacy the Azure Monitor telemetry agents for Windows and Linux.
Windows agents
Category | Area | Azure Monitor Agent | Log Analytics Agent | Diagnostics extension (WAD) |
---|---|---|---|---|
Environments supported | ||||
Azure | ✓ | ✓ | ✓ | |
Other cloud (Azure Arc) | ✓ | ✓ | ||
On-premises (Azure Arc) | ✓ | ✓ | ||
Windows Client OS | ✓ | |||
Data collected | ||||
Event Logs | ✓ | ✓ | ✓ | |
Performance | ✓ | ✓ | ✓ | |
File based logs | ✓ | ✓ | ✓ | |
IIS logs | ✓ | ✓ | ✓ | |
ETW events | ✓ | |||
.NET app logs | ✓ | |||
Crash dumps | ✓ | |||
Agent diagnostics logs | ✓ | |||
Data sent to | ||||
Azure Monitor Logs | ✓ | ✓ | ||
Azure Monitor Metrics1 | ✓ (Public preview) | ✓ (Public preview) | ||
Azure Storage - for Azure VMs only | ✓ (Preview) | ✓ | ||
Event Hubs - for Azure VMs only | ✓ (Preview) | ✓ | ||
Services and features supported | ||||
Microsoft Sentinel | ✓ (View scope) | ✓ | ||
VM Insights | ✓ | ✓ | ||
Microsoft Defender for Cloud - Olny uses MDE agent | ||||
Automation Update Management - Moved to Azure Update Manager | ✓ | ✓ | ||
Azure Stack HCI | ✓ | |||
Update Manager - no longer uses agents | ||||
Change Tracking | ✓ | ✓ | ||
SQL Best Practices Assessment | ✓ |
Linux agents
Category | Area | Azure Monitor Agent | Log Analytics Agent | Diagnostics extension (LAD) | Telegraf agent |
---|---|---|---|---|---|
Environments supported | |||||
Azure | ✓ | ✓ | ✓ | ✓ | |
Other cloud (Azure Arc) | ✓ | ✓ | ✓ | ||
On-premises (Azure Arc) | ✓ | ✓ | ✓ | ||
Data collected | |||||
Syslog | ✓ | ✓ | ✓ | ||
Performance | ✓ | ✓ | ✓ | ✓ | |
File based logs | ✓ | ||||
Data sent to | |||||
Azure Monitor Logs | ✓ | ✓ | |||
Azure Monitor Metrics1 | ✓ (Public preview) | ✓ (Public preview) | |||
Azure Storage - for Azrue VMs only | ✓ (Preview) | ✓ | |||
Event Hubs - for azure VMs only | ✓ (Preview) | ✓ | |||
Services and features supported | |||||
Microsoft Sentinel | ✓ (View scope) | ✓ | |||
VM Insights | ✓ | ✓ | |||
Microsoft Defender for Cloud - Only use MDE agent | |||||
Automation Update Management - Moved to Azure Update Manager | ✓ | ✓ | |||
Update Manager - no longer uses agents | |||||
Change Tracking | ✓ | ✓ |
1 To review other limitations of using Azure Monitor Metrics, see quotas and limits. On Linux, using Azure Monitor Metrics as the only destination is supported in v.1.10.9.0 or higher.
Supported operating systems
The following tables list the operating systems that Azure Monitor Agent and the legacy agents support. All operating systems are assumed to be x64. x86 isn't supported for any operating system.
View supported operating systems for Azure Arc Connected Machine agent, which is a prerequisite to run Azure Monitor agent on physical servers and virtual machines hosted outside of Azure (that is, on-premises) or in other clouds.
Windows
Operating system | Azure Monitor agent | Log Analytics agent (legacy) | Diagnostics extension |
---|---|---|---|
Windows Server 2022 | ✓ | ✓ | |
Windows Server 2022 Core | ✓ | ||
Windows Server 2019 | ✓ | ✓ | ✓ |
Windows Server 2019 Core | ✓ | ||
Windows Server 2016 | ✓ | ✓ | ✓ |
Windows Server 2016 Core | ✓ | ✓ | |
Windows Server 2012 R2 | ✓ | ✓ | ✓ |
Windows Server 2012 | ✓ | ✓ | ✓ |
Windows Server 2008 R2 SP1 | ✓ | ✓ | ✓ |
Windows Server 2008 R2 | ✓ | ||
Windows Server 2008 SP2 | ✓ | ||
Windows 11 Client and Pro | ✓2, 3 | ||
Windows 11 Enterprise (including multi-session) |
✓ | ||
Windows 10 1803 (RS4) and higher | ✓2 | ||
Windows 10 Enterprise (including multi-session) and Pro (Server scenarios only) |
✓ | ✓ | ✓ |
Windows 8 Enterprise and Pro (Server scenarios only |
✓1 | ||
Windows 7 SP1 (Server scenarios only) |
✓1 | ||
Azure Stack HCI | ✓ | ✓ | |
Windows IoT Enterprise | ✓ |
1 Running the OS on server hardware that is always connected, always on.
2 Using the Azure Monitor agent client installer.
3 Also supported on Arm64-based machines.
Linux
Operating system | Azure Monitor agent 1 | Log Analytics agent (legacy) 1 | Diagnostics extension 2 |
---|---|---|---|
AlmaLinux 9 | ✓3 | ✓ | |
AlmaLinux 8 | ✓3 | ✓ | |
Amazon Linux 2017.09 | ✓ | ||
Amazon Linux 2 | ✓ | ✓ | |
CentOS Linux 8 | ✓ | ✓ | |
CentOS Linux 7 | ✓3 | ✓ | ✓ |
CBL-Mariner 2.0 | ✓3,4 | ||
Debian 11 | ✓3 | ||
Debian 10 | ✓ | ✓ | |
Debian 9 | ✓ | ✓ | ✓ |
Debian 8 | ✓ | ||
OpenSUSE 15 | ✓ | ||
Oracle Linux 9 | ✓ | ||
Oracle Linux 8 | ✓ | ✓ | |
Oracle Linux 7 | ✓ | ✓ | ✓ |
Oracle Linux 6.4+ | ✓ | ||
Red Hat Enterprise Linux Server 9+ | ✓ | ||
Red Hat Enterprise Linux Server 8.6+ | ✓3 | ✓ | ✓2 |
Red Hat Enterprise Linux Server 8.0-8.5 | ✓ | ✓ | ✓2 |
Red Hat Enterprise Linux Server 7 | ✓ | ✓ | ✓ |
Red Hat Enterprise Linux Server 6.7+ | |||
Rocky Linux 9 | ✓ | ✓ | |
Rocky Linux 8 | ✓ | ✓ | |
SUSE Linux Enterprise Server 15 SP4 | ✓3 | ||
SUSE Linux Enterprise Server 15 SP3 | ✓ | ||
SUSE Linux Enterprise Server 15 SP2 | ✓ | ||
SUSE Linux Enterprise Server 15 SP1 | ✓ | ✓ | |
SUSE Linux Enterprise Server 15 | ✓ | ✓ | |
SUSE Linux Enterprise Server 12 | ✓ | ✓ | ✓ |
Ubuntu 22.04 LTS | ✓ | ✓ | |
Ubuntu 20.04 LTS | ✓3 | ✓ | ✓ |
Ubuntu 18.04 LTS | ✓3 | ✓ | ✓ |
Ubuntu 16.04 LTS | ✓ | ✓ | ✓ |
Ubuntu 14.04 LTS | ✓ | ✓ |
1 Requires Python (2 or 3) to be installed on the machine.
2 Requires Python 2 to be installed on the machine and aliased to the python
command.
3 Also supported on Arm64-based machines.
4 Requires at least 4GB of disk space allocated (not provided by default).
Note
Machines and appliances that run heavily customized or stripped-down versions of the above distributions and hosted solutions that disallow customization by the user are not supported. Azure Monitor and legacy agents rely on various packages and other baseline functionality that is often removed from such systems, and their installation may require some environmental modifications considered to be disallowed by the appliance vendor. For instance, GitHub Enterprise Server is not supported due to heavy customization as well as documented, license-level disallowance of operating system modification.
Note
CBL-Mariner 2.0's disk size is by default around 1GB to provide storage COGS savings, compared to other Azure VMs that are around 30GB. However, the Azure Monitor Agent requires at least 4GB disk size in order to install and run successfully. Please check out CBL-Mariner's documentation for more information and instructions on how to increase disk size before installing the agent.
Linux Hardening Standards
The Azure Monitoring Agent for Linux now officially supports various hardening standards for Linux operating systems and distros. Every release of the agent is tested and certified against the supported hardening standards. We test against the images that are publicly available on the Azure Marketplace and published by CIS and only support the settings and hardening that are applied to those images. If you apply additional customizations on your own golden images, and those settings are not covered by the CIS images, it will be considered a non-supported scenario.
Only the Azure Monitoring Agent for Linux will support these hardening standards. There are no plans to support this in the Log Analytics Agent (legacy) or the Diagnostics Extension
Currently supported hardening standards:
- SELinux
- CIS Lvl 1 and 21
On the roadmap
- STIG
- FIPs
Operating system | Azure Monitor agent 1 | Log Analytics agent (legacy) 1 | Diagnostics extension 2 |
---|---|---|---|
CentOS Linux 7 | ✓ | ||
Debian 10 | ✓ | ||
Ubuntu 18 | ✓ | ||
Ubuntu 20 | ✓ | ||
Red Hat Enterprise Linux Server 7 | ✓ | ||
Red Hat Enterprise Linux Server 8 | ✓ |
1 Supports only the above distros and versions
Frequently asked questions
This section provides answers to common questions.
Does Azure Monitor require an agent?
An agent is only required to collect data from the operating system and workloads in virtual machines. The virtual machines can be located in Azure, another cloud environment, or on-premises. See Azure Monitor Agent overview.
How can I be notified when data collection from the Log Analytics agent stops?
Use the steps described in Create a new log alert to be notified when data collection stops. Use the following settings for the alert rule:
- Define alert condition: Specify your Log Analytics workspace as the resource target.
- Alert criteria:
- Signal Name: Custom log search.
- Search query:
Heartbeat | summarize LastCall = max(TimeGenerated) by Computer | where LastCall < ago(15m)
. - Alert logic: Based on number of results, Condition Greater than, Threshold value 0.
- Evaluated based on: Period (in minutes) 30, Frequency (in minutes) 10.
- Define alert details:
- Name: Data collection stopped.
- Severity: Warning.
Specify an existing or new action group so that when the log alert matches criteria, you're notified if you have a heartbeat missing for more than 15 minutes.
Will Azure Monitor Agent support data collection for the various Log Analytics solutions and Azure services like Microsoft Defender for Cloud and Microsoft Sentinel?
Review the list of Azure Monitor Agent extensions currently available in preview. These extensions are the same solutions and services now available by using the new Azure Monitor Agent instead.
You might see more extensions getting installed for the solution or service to collect extra data or perform transformation or processing as required for the solution or service. Then use Azure Monitor Agent to route the final data to Azure Monitor.
The following diagram explains the new extensibility architecture.
Is Azure Monitor Agent at parity with the Log Analytics agents?
Review the current limitations of Azure Monitor Agent when compared with Log Analytics agents.
Does Azure Monitor Agent support non-Azure environments like other clouds or on-premises?
Both on-premises machines and machines connected to other clouds are supported for servers today, after you have the Azure Arc agent installed. For purposes of running Azure Monitor Agent and data collection rules, the Azure Arc requirement comes at no extra cost or resource consumption. The Azure Arc agent is only used as an installation mechanism. You don't need to enable the paid management features if you don't want to use them.
Does Azure Monitor Agent support auditd logs on Linux or AUOMS?
Yes, but you need to onboard to Defender for Cloud (previously Azure Security Center). It's available as an extension to Azure Monitor Agent, which collects Linux auditd logs via AUOMS.
Why do I need to install the Azure Arc Connected Machine agent to use Azure Monitor Agent?
Azure Monitor Agent authenticates to your workspace via managed identity, which is created when you install the Connected Machine agent. Managed Identity is a more secure and manageable authentication solution from Azure. The legacy Log Analytics agent authenticated by using the workspace ID and key instead, so it didn't need Azure Arc.
Next steps
- Install the Azure Monitor Agent on Windows and Linux virtual machines.
- Create a data collection rule to collect data from the agent and send it to Azure Monitor.
Feedback
Submit and view feedback for